HIPAA applies to two categories of organizations. Covered entities are those that directly handle patient care or payment – medical practices, clinics, hospitals, dental offices, pharmacies, and health insurance plans. Business associates are third-party vendors that handle protected health information on behalf of a covered entity – including IT providers, billing companies, and cloud storage vendors. If your practice uses any third-party technology or services that touch patient data, both you and those vendors have compliance obligations.

The Privacy Rule governs how protected health information can be used and disclosed – it covers all forms of PHI including paper records and verbal communication. The Security Rule specifically addresses electronic protected health information (ePHI) and requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect it. Most IT-related HIPAA work falls under the Security Rule, though both rules apply to healthcare practices and both are addressed in our compliance services.

HIPAA fines are tiered based on the level of negligence. Violations range from $100 per violation for unknowing infractions up to $50,000 per violation for willful neglect – with annual caps reaching $1.9 million per violation category. A single breach affecting thousands of patient records can result in multimillion-dollar penalties. Beyond fines, breaches trigger mandatory public notification, media scrutiny, and lasting damage to patient trust. The cost of compliance is significantly lower than the cost of a violation.

Yes, without exception. Every healthcare client we work with receives a formal Business Associate Agreement as part of onboarding. The BAA defines our responsibilities for protecting ePHI, documents our compliance obligations, and establishes the contractual foundation required by HIPAA before any work begins on your environment. If your current IT provider has not signed a BAA with you, that is itself a compliance gap.

Our risk assessment is a thorough evaluation of your practice’s technical environment and security posture as it relates to HIPAA requirements. The process involves one to two days onsite at each of your locations. Within seven days of the assessment, you receive a written report with findings and a remediation roadmap — a clear, prioritized set of recommendations that tells you exactly what needs to be addressed and in what order. The report is audit-ready documentation that demonstrates your practice took a proactive approach to compliance.

Ongoing compliance management is not a one-time fix – it is a continuous process. Our program includes automated policy review and tracking to ensure your documentation stays current, regular staff training on HIPAA security awareness, periodic risk assessments to catch new vulnerabilities as your environment evolves, and incident response management if a security event occurs. HIPAA requires covered entities to review and update their safeguards regularly, and our ongoing management handles that process, so it does not fall through the cracks.

HHS does not prescribe a fixed review schedule, but the expectation is that covered entities conduct risk assessments periodically and whenever significant changes occur – new software, new staff, new locations, new technology, or after a security incident. In practice, annual reviews at minimum are considered the standard. Our ongoing compliance program handles this systematically, so your practice is never caught off guard.

We have hands-on experience with Medisoft, Tebra, ChiroTouch, and OPIE. If your practice uses a platform not on that list, we are accustomed to learning and supporting specialized medical software and will evaluate your environment before making any recommendations.

Yes, significantly. Consumer-grade tools (standard Gmail, personal Dropbox, unencrypted email) are not HIPAA-compliant and should not be used to transmit or store ePHI. Any cloud platform that touches patient data must be configured correctly, and the vendor must sign a BAA. This is a common gap in small practices that adopted cloud tools for convenience without considering the compliance implications. We evaluate your current tool stack as part of our risk assessment and help you identify and remediate any gaps.

Yes. HITECH expanded HIPAA’s breach notification requirements and extended compliance obligations to business associates. The Omnibus Rule incorporated those changes and strengthened enforcement. Our compliance services address all three – HIPAA, HITECH, and the Omnibus Rule – as a unified framework. There are no separate engagements or additional fees for coverage of those requirements.

Yes. Staff training is a required component of HIPAA compliance and a critical line of defense – the majority of healthcare data breaches involve human error. We provide regular security awareness training for healthcare staff as part of our ongoing compliance management program. Training covers phishing recognition, proper handling of ePHI, password hygiene, and safe use of devices and applications in a clinical environment.

If a breach occurs, we assist with the full incident response process including the breach notification requirements mandated by HIPAA and HITECH. This includes helping you assess the scope of the breach, determine notification obligations, prepare required notifications to affected individuals and HHS, and document the incident and response for your records. Every managed IT client also receives incident response documentation in advance, so your team has a clear playbook before an incident ever occurs.

Yes. If your practice faces an Office for Civil Rights audit or a state-level investigation, we provide documentation support and participate in that process. Our ongoing compliance management is designed to keep your documentation audit-ready at all times – so if an audit is triggered, you are not scrambling to reconstruct records after the fact.

HIPAA compliance is not optional regardless of practice size – small practices face the same regulatory requirements as large hospital systems, and OCR has levied significant fines against small providers. The more relevant question is whether your practice can afford the cost of non-compliance. Our services are structured to fit the budgets of small and mid-sized practices, and the risk assessment that starts the process is provided at no charge. We will give you an honest picture of what compliance work your environment actually requires before any commitment is made.

Schedule your HIPAA risk assessment using the form on this page. The assessment includes one to two days onsite, a written findings report, and a remediation roadmap delivered within seven days. There is no cost and no obligation to schedule the assessment.